This morning, a client forwarded an email to me, thinking it might be a fraudulent message (as, indeed, it was):

Attention: PROAXIS.COM Email User

PROAXIS.COM is upgrading database Servers from the
old Servers (Nol06769) to the new Servers (No521766).
You are to fill the details below to enable us upgrade and
verify from the old server.

FILL THE DETAILS BELOW OR ANYWHERE IN THE MAIL

Email Address:
Password:
Address:
City:

Attention:Account owners who do not update his or
her account immediately you receive this Notification
will have problems using our online facilities effectively.

Notification Code:CZX1G13ABJ

The ” PROAXIS.COM ” Upgrade Team
Thanks for your co-operation.
Copyright (c) 2010.All rights reserved.

Of course, this is a fake; responding to it would be dangerous and very probably disastrous. I’m asked questions like this with some frequency, so I thought I’d share some thoughts on the subject. First a few general principles:

1) No legitimate company, service provider or merchant will EVER ask you for this information by email or at a website; you should assume that any request for your identifying information is fraudulent until proven otherwise.

2) Never use the links in an email like this; it’s possible to place a link on the page that states an address but takes you somewhere else. For example clicking on the following link: www.google.com will NOT take you to Google; try it … I’ll wait …

This is a fairly simple use of hyperlink misdirection; I did it with a webpage but it is just as easy in an email. The same principle holds true for email address links in emails and on websites. And if I can do it in 30 seconds using the most primitive of techniques, believe me, there are slicker methods out there.

3) My rule of thumb is that if my bank, internet service provider, credit card company, or anyone else with whom I do business ever wants something that badly, they can call me and authenticate themselves by telling ME information that only they and I would know.

4) If I ever think that a request like this may be legitimate, I call the firm directly, using the number in the phone book, NOT one given in the email (which, in the case of a spam or hoax, might well be fraudulent anyway) and ask them.

Or I go to the firm’s website using their web address, if I already know it, or Googling it to make sure that I’m going to the legitimate site for this firm; then if there’s information on that site that corroborates the information I originally got, I can proceed with some confidence, again, using the website I looked up; as I said above, never use the links in the email, which may be false.

5) I also look for grammar and usage in the email that may betray the sender as someone for whom English is not a native language, which is often a good indicator. The phrases:

You are to fill the details below to enable us upgrade and
verify from the old server.

and:

Account owners who do not update his or
her account immediately you receive this Notification …

as well as the quotes around the company name certainly convey the idea that the writer is not familiar with the grammar, syntax and level of professionalism that a technical writer or content professional would use. You cannot, of course, use this is a primary criterion because there will be hoax-sters with more sophistication and greater grasp of English than others, but this can be a significant piece of corroborating evidence.

You can also look at the email “header”. The header is a section of the email, usually invisible under normal conditions, that contains all kinds of information about the email such as the address it originated at, a list of the servers or computers it passed through on its way to you and various other bits of information. You can usually find an option in your email message’s ‘Edit’ or ‘View’ menu that will display this header information. Here’s part of the header information in the email my client got this morning:

X-Cloudmark-Score:   0.000000 []
X-Cloudmark-Analysis: v=1.0 c=1 a=VtpIoHOd8CEA:10 a=KKiOUAaYztQA:10 a=ZlYnxlA6XxBI2NQjOcqQGQ==:17 a=7s-DNXl0AAAA:8 a=4gah6qo8FxDZ3pDJQicA:9 a=_K-MYw127GBc3rEXFsIA:7 a=zwBHuKQGca8JLwHLWjA6mzSuscEA:4 a=txvrPQ3NrNQA:10 a=_k6BP71vv7YA:10 a=Jz6db_7HcwPeSShJ:21 a=1-smVbazZm8F-kDG:21
From: “PROAXIS.COM SUPPORT TEAM” <helpdesk@proaxis.com>
Subject: VERIFY YOUR ACCOUNT *** ACCOUNT OWNER’S ***
X-Mailer: CommuniGate Pro WebUser v5.2.16
Date: Fri, 15 Jan 2010 02:43:11 +0100
Organization: PROAXIS.COM SUPPORT TEAM
Reply-To: database.no521766server1@ymail.com
To: undisclosed-recipients:;

Much of the the header information will be incomprehensible to you, but some bits, like the “From:” address and the “Reply-To:” address can be revealing. In this case, the hoax-sters used a believable “From:” address (helpdesk@proaxis.com), but the “Reply-To:” address (the address that any reply would be sent to if you hit the ‘Reply” button in your email program) showed something completely different. The email above showed the following ‘Reply-To” address:

Reply-To: database.no521766server1@ymail.com

ymail.com is the Yahoo! email server, so we know right away that this email did not come from Proaxis and that any reply would have been sent to a user account named database.no521766server1 on Yahoo’s mail server.

One last thing: If you have identified an email from your bank, internet service provider or some other service known to you that seems genuine and has been shown to be a hoax, like the one above, do yourself and your bank or servicer a favor and forward the email to them with a note letting them know that you got it. The email (and the knowledge that someone is imitating them) can help a firm in two ways:

1) They can use header information in the email to trace the email and can often get the fraudulent sender’s account (at Yahoo!, in the above example) canceled.

2) They can alert other customers (who may very well be getting this same email) that it is, indeed, a hoax and advising customers to disregard it.

Perhaps these thoughts can help you more easily spot fraudulent emails in the future. If so, I am glad to have been of some use to you.

Byron
Up & Running Computer Services

===================